Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PSA: Public demo server (cors-anywhere.herokuapp.com) will be very limited by January 2021, 31st #301

Open
Rob--W opened this issue Dec 12, 2020 · 93 comments

Comments

@Rob--W
Copy link
Owner

Rob--W commented Dec 12, 2020

The demo server of CORS Anywhere (cors-anywhere.herokuapp.com) is meant to be a demo of this project. But abuse has become so common that the platform where the demo is hosted (Heroku) has asked me to shut down the server, despite efforts to counter the abuse (rate limits in #45 and #164, and blocking other forms of requests). Downtime becomes increasingly frequent (e.g. recently #300, #299, #295, #294, #287) due to abuse and its popularity.

To counter this, I will make the following changes:

  1. The rate limit will decrease from 200 (PSA: Countermeasures to abuse #164) per hour to 50 per hour.
  2. By January 31st, 2021, cors-anywhere.herokuapp.com will stop serving as an open proxy.
  3. From February 1st. 2021, cors-anywhere.herokuapp.com will only serve requests after the visitor has completed a challenge: The user (developer) must visit a page at cors-anywhere.herokuapp.com to temporarily unlock the demo for their browser. This allows developers to try out the functionality, to help with deciding on self-hosting or looking for alternatives.

What should current users of CORS Anywhere do in response to this announcement?

If possible, try to avoid the need for a proxy at all. CORS Anywhere works by combining proxy functionality with CORS. You may not need proxy functionality, if the web service that you are trying to access already supports CORS. This is the preferred solution because it is faster and more reliable. For development, you can also consider the use of browser extensions that automatically enables CORS for certain websites.

If your use of CORS Anywhere is infrequent, then the exception from step 3 above will allow you to continue as before. The only difference is that you need to explicitly opt in before access is temporarily allowed. If you'd like to not have these restrictions, then you should self-host CORS Anywhere.

For an example of self-hosting, see https://github.com/Rob--W/cors-anywhere#demo-server . There are also many questions and answers about hosting on the issue tracker here (https://github.com/Rob--W/cors-anywhere/issues). If you have questions, please search for existing issues first before opening a new issue.

@Rob--W
Copy link
Owner Author

Rob--W commented Feb 1, 2021

As announced, the public demo has been restricted. If you are developing a new web application and want to try out CORS Anywhere, visit https://cors-anywhere.herokuapp.com/ and click on the "Request temporary access to the demo server" button, to temporarily restore the full functionality of CORS Anywhere for your client only.

@yunyuyuan
Copy link

@gitalk

@rizkhal
Copy link

rizkhal commented Feb 2, 2021

i have message "You currently have temporary access to the demo server." but still not working

@Rob--W
Copy link
Owner Author

Rob--W commented Feb 2, 2021

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

@chrisabrams
Copy link

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

@Rob--W
Copy link
Owner Author

Rob--W commented Feb 5, 2021

@rizkhal Please file a new issue if you encounter what you think is a bug, and include details / reproduction steps.

Same issue. I go to /corsdemo and click on the button, then I try to make any request and still get a 403 forbidden.

Again: please file an issue with exact reproduction steps. 403 can also be the result of something else (e.g. it being the real reply). I cannot resolve the issue unless you share the steps/URL/code/commands to reproduce the issue.

@AlexyOd
Copy link

AlexyOd commented Feb 6, 2021

You currently have temporary access to the demo server., but not wirking

@Rob--W
Copy link
Owner Author

Rob--W commented Feb 6, 2021

I have just published an update to the demo server to improve the detection of a "client". Previously, Heroku routers were mistakenly identified as the "client", with the fix the actual clients are identified instead.

@ajsingh007
Copy link

Thanks for the PSA, was wondering why I was getting errors lol. This service was super useful to me and I am able to run it locally for a personal project. Am experimenting with hosting it on my own server. Appreciate your work on this project!!

@isoaxe
Copy link

isoaxe commented Feb 8, 2021

Hi Rob. Yesterday I requested temporary access via the button located at '/corsdemo'. This got my app working again, though today I had to go through the process again.

Is frequently re-requesting access the intended behaviour? For development purposes this is not an issue, but in production a user couldn't be expected to do this of course. I'm just using the app as a portfolio project by the way, with very little traffic.

@jumpjack
Copy link

jumpjack commented Feb 8, 2021

So what should I do to host cors-anywhere on my server? Documentation is very far from being clear.
Which folder structure should I create on my server?
Which files from the .zip I downloaded from github should I copy to the server?
Which address should I call from my script rather than "https://cors-anywhere.herokuapp.com" before the resource I need?
Which files should I edit to apply my own restriction?
Which kind of hosting service do I need? Shoud the server have any specific requirement, or will any hosting service work?

@heitorpacheco
Copy link

What can I do to use this in production? Is it just me to publish this project and use the url in front of my api?

@Rob--W
Copy link
Owner Author

Rob--W commented Feb 8, 2021

@isoaxe

Hi Rob. Yesterday I requested temporary access via the button located at '/corsdemo'. This got my app working again, though today I had to go through the process again.

Is frequently re-requesting access the intended behaviour?

This is intended. The announcement here and the page where you request access very clearly states that access is temporary. The public demo is identical to the source code in this repository, except with additional routing logic in front to verify that access is permitted. The access is regularly revoked (currently 1-2 times per day, sometimes more if the server is overloaded).

For development purposes this is not an issue, but in production a user couldn't be expected to do this of course. I'm just using the app as a portfolio project by the way, with very little traffic.

Previously, the demo server was open to everyone by default. Due to the abuse, the service was often slow or unavailable, which made it a bad service to rely on for portfolio sites. I have once received a request from a student to help them with recovering their grade after their application failed when the public demo was unavailable. These kinds of scenarios can only be avoided by very clearly making the demo opt-in.

For prototyping purposes (e.g. a demo project or an example on a portfolio), you could link to the /corsdemo page and ask visitors to click on the button, once, to opt in.

@jumpjack

So what should I do to host cors-anywhere on my server? Documentation is very far from being clear.

This project is a library that can be used to create a CORS proxy server. The project ships with a sample, server.js that uses the library with some default values. The top comment at this page links to "Demo server" in the README, which shows an example of starting the server (or even hosting it on Heroku). There are issues (questions & answers) on this issue tracker about hosting on other platforms.

I occasionally see people forking the project and removing requireHeaders+Origin, or allowing credentials (e.g. cookies). Do not commit the mistake of doing that, it is insecure. I have previously shared some comments about security at #152

Which folder structure should I create on my server?
Which files from the .zip I downloaded from github should I copy to the server?

The relevant files are referenced at

"files": [
"lib/",
"test/",
"Procfile",
"demo.html",
"server.js"
],

If you don't care about the unit tests, then lib/ and server.js can be copied.
It may be easier to clone the repository and occasionally fetch new changes. The public demo runs off a fork of the master branch of this repository.

Which address should I call from my script rather than "https://cors-anywhere.herokuapp.com" before the resource I need?

The server address (scheme + host name + port) on which the CORS Anywhere proxy is running.

Which files should I edit to apply my own restriction?

See the "Demo server" documentation, or edit server.js to have custom logic if the sample doesn't fit your needs.

Which kind of hosting service do I need? Shoud the server have any specific requirement, or will any hosting service work?

The hosting platform needs to be able to run Node.js.

@heitorpacheco

What can I do to use this in production? Is it just me to publish this project and use the url in front of my api?

If you want to operate an open proxy, then yes. If you want to apply restrictions, see my other remarks in this comment.

@isoaxe
Copy link

isoaxe commented Feb 9, 2021

Thanks for getting back to me. I'll give self hosting a go and and if I can't manage it just redirect to the corsdemo page as you suggest.

@ntotao
Copy link

ntotao commented Feb 9, 2021

Thanks for the hard work you have put in this, really remarkable job, I've mounted now a self-hosting instance, but really appreciated your openness before the headsup to close the service! much <3

@Corey-Wademan
Copy link

Hey Rob, thank you very much for all your documentation and updates. I was using cors-anywhere in my fetch api directing towards the Yelp Fusion API, and querying results into a personal project app on my portfolio. I'm doing everything strictly on the Front End (don't know how to do this on the backend yet), is there any other options you could recommend to solve this issue around the No 'Access-Control-Allow-Origin' header? Thanks again

Repository owner deleted a comment from jumpjack Feb 13, 2021
@Rob--W
Copy link
Owner Author

Rob--W commented Feb 13, 2021

@Corey-Wademan

I was using cors-anywhere in my fetch api directing towards the Yelp Fusion API, and querying results into a personal project app on my portfolio. I'm doing everything strictly on the Front End (don't know how to do this on the backend yet), is there any other options you could recommend to solve this issue around the No 'Access-Control-Allow-Origin' header?

The best solution is to ask your API service provider to support CORS. There appears to be a pending feature request, without recent activity though: Yelp/yelp-fusion#64
If that is not an option, then you have to make the request from a backend, either by building that backend yourself, or by self-hosting CORS Anywhere. The first comment here refers to the README for deploying CORS Anywhere to Heroku, and there are other issues on this issue tracker with instructions for other platforms.

PS. To everyone who is considering to post a new comment here - Please file a new issue if you have questions that are unrelated to the announcement here. This issue should only be used for comments related to the announcement.

@samneng
Copy link

samneng commented Feb 14, 2021

I have found a useful replacement
https://cors.bridged.cc/
See detail

@leboceb
Copy link

leboceb commented Feb 15, 2021

Hi guys any idea what we can use beside the above

Thanks

@isoaxe
Copy link

isoaxe commented Feb 15, 2021

@Corey-Wademan
If you're still looking for a solution to this problem, you can follow the steps in this readme.

@amirahefiene
Copy link

Hello i used this solution on dynamics crm 365 ,for this issue any update for the managed solution ? thanks

@samber
Copy link

samber commented Feb 16, 2021

Hi there,

I see some of you are looking for a replacement to cors-anywhere.

Don't waste your time searching for a better tool: just deploy your own instance to Heroku (free dyno).

It takes 5 minutes. 10 minutes if you need to create a Heroku account 😊

Rob--W added a commit that referenced this issue Feb 20, 2021
The custom filtering logic is not part of the public repository, to
keep the project clean.
@yunyuyuan
Copy link

Hi there,

I see some of you are looking for a replacement to cors-anywhere.

Don't waste your time searching for a better tool: just deploy your own instance to Heroku (free dyno).

It takes 5 minutes. 10 minutes if you need to create a Heroku account

It can work,but not good.
They will stop your app when nobody visit your app for a while.Then the next visit will be very slow

@eboughey
Copy link

eboughey commented Jul 1, 2022

For an example of self-hosting, see https://github.com/Rob--W/cors-anywhere#demo-server . There are also many questions and answers about hosting on the issue tracker here (https://github.com/Rob--W/cors-anywhere/issues). If you have questions, please search for existing issues first before opening a new issue.

Have you set up a paid version of this where you could keep track of any abusers and ban them if they pay and then abuse? I only know enough coding to get myself in trouble and I have to get temporary access daily to run an app we will probably be using several times a week. Thanks!

@embeddedt
Copy link

embeddedt commented Sep 4, 2022

Are there any recommendations for alternative hosting solutions to use for non-open proxies now that free Heroku dynos are going away?

See #434.

@Sayan-Maity
Copy link

I am not having any issue with the cors. Mine one is working fine

@JoeArmani
Copy link

@Rob--W Thanks a ton for making this available. Hosting my own now, but this demo and your instructions have been super helpful for getting set up.

@hemangjoshi37a

This comment was marked as off-topic.

@bangank36
Copy link

https://fast-dawn-89938.herokuapp.com/https://google.com

@chrahman the link is not working

@Rob--W
Copy link
Owner Author

Rob--W commented Mar 2, 2023

That was likely using free hosting, as seen in #434. I am paying for the hosting of cors-anywhere.herokuapp.com, which is therefore still up.

@Infuscomus
Copy link

@Rob--W Maybe you should add a donate button?

@DMSavchik
Copy link

Here is my hosted fork for this project: https://cors-proxy.fringe.zone/
You may see/add to the repository here:
https://github.com/DMSavchik/cors-anywhere

@zachyo
Copy link

zachyo commented Mar 31, 2023

@Rob--W Thanks a ton for making this available. Hosting my own now, but this demo and your instructions have been super helpful for getting set up.

Please I need a process on how to host and whitelist my site only.

@xriss
Copy link

xriss commented Jun 8, 2023

I made a thing of slight evil.

https://github.com/xriss/security-theater

Browser extension that hijacks the cors-anywhere url at the "fetch" level. Works on chrome etc but not firefox as firefox does not support v3 extensions, (yet?).

Not quite the same as the other cors extensions that patch http headers, this patches in page javascript and uses cors-anywhere as a trigger then passes the request into the extensions worker.

The idea is, install extension and you can use cors-anywhere.herokuapp.com without hitting the server and causing any bandwidth costs, don't install extension and you get an obvious intent to use some sort of cors proxy.

Is this a good idea?

Not sure...

@ZGCHOU
Copy link

ZGCHOU commented Aug 15, 2023

Here is my hosted fork for this project: https://cors-proxy.fringe.zone/ You may see/add to the repository here: https://github.com/DMSavchik/cors-anywhere

thankyou

@arpitjain2007
Copy link

Here is my hosted fork for this project: https://cors-proxy.fringe.zone/ You may see/add to the repository here: https://github.com/DMSavchik/cors-anywhere

I am trying the for calling circleCI from testrail. With your https://cors-proxy.fringe.zone/ it just works fine but if I host my version on heroku it gives cors , do you know the reason? I just fork your repo and deployed it on heroku

@sts-ryan-holton
Copy link

Would any developers be willing to pay for a cors proxy? Maybe on a metered billing by the number of requests they make?

@Rob--W
Copy link
Owner Author

Rob--W commented Dec 12, 2023

Payment is not the problem here. I am already footing the bill for keeping the server online. The problem is that the hosting platform does not want to support an open proxy due to abuse risks.

@DMSavchik
Copy link

Would any developers be willing to pay for a cors proxy? Maybe on a metered billing by the number of requests they make?

It's not a common request. And there is already some solutions on the market offering same thing. Much easier to make wrapped api on the server if you have access.

@Ayush5601
Copy link

Here is my hosted fork for this project: https://cors-proxy.fringe.zone/ You may see/add to the repository here: https://github.com/DMSavchik/cors-anywhere

Could you pls tell how to depoy this over netlify for free to make our own custom proxy?

@jonathasborges1
Copy link

https://cors.bridged.cc/

is very helpful

@hemangjoshi37a
Copy link

I understand many of you are experiencing issues with the limited functionality of the cors-anywhere demo server. Here are some steps to address common problems:

  1. Self-Hosting: The best long-term solution is to self-host cors-anywhere. Rob--W has provided detailed instructions in the README on the GitHub page. Self-hosting gives you full control and avoids the limitations of the demo server.

  2. Alternatives: If self-hosting isn't feasible, consider alternatives like https://cors.bridged.cc/ or deploying on other platforms like Netlify. These solutions might offer a temporary workaround.

  3. Temporary Access: For immediate, short-term use, you can still gain temporary access to the demo server by visiting https://cors-anywhere.herokuapp.com/ and clicking "Request temporary access".

  4. Contribute: If you have suggestions or improvements, consider contributing to the project. Your input could help enhance the functionality for all users.

Remember, the demo is intended for development and testing, not for production use.

@cabmeron
Copy link

RIP brother thank you for your service

@cabmeron
Copy link

RIP brother thank you for your service

Jezz, He died?

No :O

I just started using this and wanted to pay my dues to the golden age

@codingiswhyicry
Copy link

To add to anyone who doesn't know where to get started, you can very easily make a fork of this repo and deploy it directly from Vercel. Took me about 3 minutes.

@chukwunonsoprosper
Copy link

Can you provide a permanent usage to this solution

@Ayush5601
Copy link

Ayush5601 commented Jun 22, 2024

To add to anyone who doesn't know where to get started, you can very easily make a fork of this repo and deploy it directly from Vercel. Took me about 3 minutes.

I tried to use vercel but it says "not found" https://cors-anywhere-green-eight.vercel.app/

Like pls share any additional configs file required, or modifications need to me made. It would be much helpful!

@rameez149
Copy link

Didj

@yodaluca23
Copy link

yodaluca23 commented Jul 18, 2024

For anyone wanting to quickly and easily convert their existing projects.
Find: "cors-anywhere.herokuapp.com/"
Replace with "corsproxy.io/?"
Make sure you include the "?" that the only difference from cors-anywhere
It's another proxy that integrates almost identically... No other steps needed, it has no API keys, or anything!

@SantiiRepair
Copy link

Here is my own proxy server https://fast-dawn-89938.herokuapp.com/ demo: https://fast-dawn-89938.herokuapp.com/https://google.com

Have a good day! 😊😍

Does not works

@SantiiRepair
Copy link

Here is my hosted fork for this project: https://cors-proxy.fringe.zone/ You may see/add to the repository here: https://github.com/DMSavchik/cors-anywhere

Amazing!! Thank you so much

@SlavaVechir
Copy link

SlavaVechir commented Nov 22, 2024

Is there any alternative to this that actually makes server cors but also doesnt require activasion like this one(I have tried multiple services but they dont actually make the server cors), dont ask why I cant just create a proxy server(it is because of financial reasons).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests